[olug] SuSE 9.0 proc question

Christopher Cashell topher at zyp.org
Thu May 20 05:44:10 UTC 2004


At Wed, 19 May 04, Unidentified Flying Banana Brian Roberson, said:

> <OT>
> Not to start a holy war.... but most security people are on the
> other side of the fence e.g. inetd is the devil and should never be
> used. I don't personally feel this way, I just prefer not to run inetd.
> I personally do not suggest running anything under inetd - services
> under inetd typically get forgotten about and go on to make security
> holes - 

Yeah, I've heard some people espouse that view myself, though I've never
really agreed with it.  I definitely think that the advantages to
running many services from inetd greatly outweighs the disadvantages.
For example, running services from inetd makes it very easy to use TCP
Wrappers[1], which can markedly increase security and logging capabilities. 

Also, it centralizes where daemons are starting from, and allows you to
very easily disable access for any or all daemons that are started via
inetd.  I don't mean to sound rude, but anyone who doesn't understand
how inetd works, and how many services are often started automatically
upon access by it, should probably not be administering a Unix
machine[2].

> It's all personal preference

Very true.  While I advocate inetd, for it's ease of use and for the
ability to use TCP Wrappers, to less experienced admins, I personally use
tcpserver[3] (from DJB's UCSPI-tcp tools[4]) for this kind of thing.  It
provides the advantages of inetd and TCP Wrappers, while providing much
better performance, resource management, and reliability under high
loads.

One last note, while we're discussing security. . . when I refer to
inetd, I'm actually refering to xinetd, or one of the other newer
implementations of inetd, which tend to be much more robust and secure
than the original.  To my knowledge, all of the current Linux/Unix
implementations around use xinetd or one of the newer variants, so it's
not a big deal.  I just wanted to make that clear, though.

> </OT>

 [1] man tcpd(1) for more information.
 [2] Or, at the least, they should immediately review a good book or
     tutorial on Unix administration and/or Unix security.
 [3] http://cr.yp.to/ucspi-tcp/tcpserver.html
     http://networking.earthweb.com/netos/article.php/1547241
     http://www.mandrakesecure.net/en/docs/tcpserver.php
 [4] http://cr.yp.to/ucspi-tcp.html

-- 
| Christopher
+------------------------------------------------+
| Here I stand.  I can do no other.              |
+------------------------------------------------+



More information about the OLUG mailing list